[Cybersecurity] Why safer HTTPS

Others 2019-11-04 18:35:43 views: null

table of Contents

HTTP and HTTPS Introduction

Why 1. HTTP protocol is not secure

http protocol is clear text transport protocol, interaction and data transfers are not encrypted, the communicating parties nor any certification, the communication process is very vulnerable to hijacking, monitoring, tamper, in severe cases, can cause malicious traffic hijacking and other issues, even resulting in disclosure of personal privacy (such as bank card number and password leak) and other serious security problems.

Http communication metaphor can send the same letter, A to B send a letter, a letter sent in the process, after going through several postman hand, they can read the contents of the open channel (http as plain text transmission) . A letter inside any content (including all types of account numbers and passwords) will be easily stolen. In addition, the postman can also be forged or modify the contents of the letter, the letter resulting in the received content B is false.

Such as common, at http communication process, "middleman" will be embedded advertising links to http server message sent to the user, the user interface resulting in a lot of bad links; or modify the user's request header URL, causing the user's request to be hijacked to another site, the user's request never reach the real server. These will lead to service users are not correct, or even losses.

2. HTTPS how to ensure safety

We all know that HTTPS is the secure HTTP, HTTPS then is how to ensure the security of the communication process it?

If the server to the client's message is encrypted, only the server and client can read, you can guarantee the confidentiality of the data. At the same time, before the exchange of data, verify each other's legal status, you can ensure the safety of communication between the parties. ( And we usually develop in RSA signed endorsement inspection, encryption and decryption process more like ). HTTPS is the use of a similar principle to ensure the security of communications. Here we look at specific implementation process.

SSL protocol

Basis HTTPS for secure communications are SSL protocol.

SSL : (Secure the Socket Layer, Secure Sockets Layer), as developed by Netscape to protect the security of data transmission in the Internet, using data encryption (Encryption) technology to ensure data is not transmitted on the network during the He is intercepted. The current version is 3.0. It has been widely used for authentication and encryption of data transferred between the Web browser and the server.

SSL protocol is located between the TCP / IP protocol with a variety of application-layer protocol that provides secure support for data communications. SSL protocol can be divided into two layers: SSL Record Protocol (SSL Record Protocol): it is based on a reliable transport protocol (e.g., TCP), to provide high-level protocol data encapsulation, compression, encryption support basic functions. SSL handshake protocol (SSL Handshake Protocol): It is built on top of the SSL Record protocol for data transmission before the actual start of communication between the two sides authentication, negotiate an encryption algorithm, encryption key exchange and so on.

The main function of the SSL protocol

  • Server and user authentication to ensure data is sent to the correct client and server;
  • Encrypting data to prevent the data from being stolen way;
  • Maintain data integrity to ensure data is not changed during transmission.

Here we take a look at the specific SSL protocol is how to achieve the above three functions.

Principle of SSL protocol to encrypt data

The above-mentioned message will be encrypted communication of SSL protocol, then the server data encryption, client how to read the data it? The server must take encryption key (SSL packets of encrypted using a symmetric encryption technique, such as DES, 3DES, AES, etc.) to tell the client, the client can use a symmetric key to unlock the contents of the ciphertext. However, if this symmetric key server in clear text to the client, or will be intercepted by middlemen who also knows symmetric key, still can not guarantee the confidentiality of communications. However, if the server ciphertext way symmetric key to the client, the client and how to unlock the ciphertext to obtain the symmetric key where it? See below show the operation of the SSL.

Certification process users and servers

  1. Middleman hijacking

The above encryption process seems to be perfect and, indeed, able to transmit encrypted messages, but this approach still can not resist the "middleman contacts." Three-way handshake or the client sends an HTTP request process, the client's request was hijacked intermediaries, intermediary then you can masquerade as "fake client" and server communication:

After the intermediary of receipt of the server to the client's public key (here is the "correct public key"), and not to the client, but the middleman own public key (here middleman will have a public and a private key here is called "fake public key") to the client. Thereafter, the symmetric key with the client after the "fake public key" encryption during transmission through the middlemen who can use his own private key to decrypt the symmetric key to get the data and, at this time then the symmetric key intermediaries with "correct public key" encryption sent back to the server. At this time, the client, an intermediary servers have the same symmetric key, follow all the client and server encrypted data can decrypt it by intermediary symmetric key.

To solve this problem, we introduced the concept of digital certificates. First, the server generates a public and private key, the public key provided to the relevant authorities (CA), CA digital certificate and public key into the digital certificate issued to the server, then the server is not a simple public key to the client, but to a client digital certificate, digital certificate added to some of the digital signature mechanism to ensure that the digital certificate must be a server to the client. Forged certificate sent by the intermediary, is not able to obtain the CA's certificate, at this time, the client and the server will know that the communication was hijacked .

  1. About CA certificate

Digital certificate digital certificate is achieved through digital signature, and content will include a signature certificate of the certificate if the certificate issued. We verify that the certificate has been tampered with is: by the contents of the certificate signature, the signature obtained is then issued with the certificate and the signature do comparison, if they match the certificate has not been tampered with.

Digital certificates also have a lot of issuing authority, a certificate issued by various issuing authority, use is not the same, such as iOS development, the use of ipa file signature to the certificate, you need to apply for Apple. In order to prevent the transmission of Web content security in the network, SSL certificates need to use will need to be issued to several recognized organizations in Web Access. The issuing authority referred to as CA (Certificate Authority).

General features of digital certificates as follows:

  • As an authorized: to ensure web browser access is through CA certificates trusted site.

  • Distribute public keys: Each digital certificate contains a public key generated by the registrant ( verification is to ensure that legitimate, non-forged public key ). It will handshake through the SSL Certificate message transmitted to the client.

  • Verify the legitimacy of the certificate: a client receives the digital certificate, the certificate of legality verification. Only after the verification by the certificate, it is possible to perform the subsequent communication process.

TLS

The TLS : (Transport Security Layer, Transport Layer Security), is used between two applications provide confidentiality and data integrity.
TLS 1.0 is a new protocol IETF (Internet Engineering Task Force, Internet Engineering Task Force) to develop, it is built on SSL 3.0 protocol specification, is the follow-up version of SSL 3.0, can be understood as SSL 3.1, it is written the RFC 's. The protocol consists of two layers: TLS Record Protocol (TLS the Record) and TLS Handshake Protocol (TLS Handshake). TLS Record lower protocol layer, situated a reliable transport protocol (e.g., TCP) above.

We can simply be understood as TLS enhanced version of SSL.

reference

Guess you like

Origin www.cnblogs.com/54chensongxia/p/11772752.html
Recommended
Open Source Daily | Altman's Seven Deadly Sins; Microsoft Bing is down globally; the United States restricts AI exports; phase out VBScript; PostgreSQL 17
Ranking
Track news source code analysis RocketMQ
marked.js implements markdown table to HTML table, and then converts to json
Impossible d'ajouter la fenêtre android.view.ViewRootImpl$W@9b9fc47 -- autorisation refusée pour le type de fenêtre 2002
2019 digital-analog felt
[JS] study notes the first day of entry Vue.js
How to compare generic structs in C++?
CleanMyMac2024 free license activation code
20191213_bind DNS
Recursive (VI): Recursive applet to read
Jetson installs Anaconda (miniforge3)
Daily
More
2024-05-24(12)
2024-05-23(35)
2024-05-22(9)
2024-05-21(35)
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)

Code World

© 2018 codetd.com